Redirect from HTTP to HTTPS before basic auth
By Ron Phipps
December 22, 2012
While reviewing PCI scan results for a client I found an issue where the scanner had an issue with a private admin URL requesting basic http auth over HTTP. The admin portion of the site has its own authentication method and it is served completely over HTTPS. We have a second layer of protection with basic auth, but the issue is the username and password could be snooped on since it can be accessed via HTTP.
The initial research and attempts at fixing the problem did not work out as intended. Until I found this blog post on the subject. The blog laid out all of the ways that I had already tried and then a new solution was presented.
I followed the recommended hack which is to use SSLRequireSSL in a location matching the admin and a custom 403 ErrorDocument. This 403 ErrorDocument does a bit of munging of the URL and redirects from HTTP to HTTPS. The instructions in the blog did have one issue, in our environment I could not serve the 403 document from the admin, I had to have it in an area that could be accessed by HTTP and by the public. I’m not sure how it could work being served from a URL that requires ssl and is protected by basic auth. The reason that this hack …
apache audit hosting security
Announcing Ruby gem: email_verifier
By Kamil Ciemniewski
December 21, 2012
How many times have you tried to provide a really nice validation solution for our fields containing user emails? Most of the time, the best we can come up with is some long and incomprehensible regex we find on StackOverflow or somewhere else on the Internet.
But that’s really only a partial solution. As much as email format correctness is a tricky thing to get right using regular expressions, it doesn’t provide us with any assurance that user entered email address in reality exists.
But it does a great job at finding out some typos and misspellings… right?
Yes - but I’d argue that it doesn’t cover full range of that kind of data entry errors. The user could fill in ‘whatever’ and traditional validation through regexes would do a great job at finding out that it’s not really an email address. But what I’m concerned with here are all those situations when I fat finger kaml@endpoint.com instead of kamil@endpoint.com.
Some would argue at this point that it’s still recoverable since I can find out about the error on the next page in a submission workflow, but I don’t want to spend another something-minutes on going through …
ruby rails
SFTP virtual users with ProFTPD and Rails: Part 1
By Brian Gadoury
December 20, 2012
I recently worked on a Rails 3.2 project that used the sweet PLupload JavaScript/Flash upload tool to upload files to the web app. To make it easier for users to upload large and/or remote files to the app, we also wanted to let them upload via SFTP. The catch was, our users didn’t have SFTP accounts on our server and we didn’t want to get into the business of creating and managing SFTP accounts. Enter: ProFTPD and virtual users.
ProFTPD’s virtual users concept allows you to point ProFTPD at a SQL database for your user and group authentication. This means SFTP logins don’t need actual system logins (although you can mix and match if you want). Naturally, this is perfect for dynamically creating and destroying SFTP accounts. Give your web app the ability to create disposable SFTP credentials and automatically clean up after the user is done with them, and you have a self-maintaining system.
Starting from the inside-out, you need to configure ProFTPD to enable virtual users. Here are the relevant parts from our proftpd.conf:
##
# Begin proftpd.conf excerpt. For explanation of individual config directives, see the
# great ProFTPD docs at …database mysql postgres ruby rails sysadmin
Verify Addresses the Easy Way with SmartyStreets
By Tim Case
December 20, 2012
Adding an address form is a pretty common activity in web apps and even more so with ecommerce web apps. Validations on forms allow us to guide the user to filling out all required fields and to make sure the fields conform to basic formats. Up until now going further with addresses to verify they actually exist in the real world was a difficult enough task that most developers wouldn’t bother with it. Imagine though the cost to the merchant who ships something to the wrong state because the customer accidently selected “SD” (South Dakota) when they thought they were selecting “SC” (South Carolina), a simple enough mistake to make and one that wouldn’t be caught by most address forms. In today’s ecommerce world customers expect deliveries to be fast and reliable, and in this case the customer would have to wait until the package is returned to the merchant with “Address Unknown” only to have to wait even longer for the reshipment. Even worse for the merchant, maybe the package never gets returned.
SmartyStreets is a new API web app that I implemented for our client Mobixa, a web app that allows people to sell their used …
ecommerce javascript api
Advanced Product Options (Variants) in Piggybak
By Steph Skardal
December 18, 2012
About a month ago, Tim Case and I developed and released a Piggybak extension piggybak_variants, which provides advanced product optioning (or variant) support in Piggybak. Piggybak is an open source Ruby on Rails ecommerce platform developed and maintained by End Point. Here, I discuss the background and basics of the extension.
Motivation & Background
The motivation for this extension was the common ecommerce need for product options (e.g. size, color), where each variation shares high-level product information such as a title and description, but variants have different options, quantities available, and prices. Having been intimately familiar with Spree, another open source Ruby on Rails ecommerce framework, we decided to borrow similarities of Spree’s product optioning data model after seeing its success in flexibility over many projects. The resulting model is similar to Spree’s data model, but a bit different due to the varied nature in Piggybak’s mountability design.
Spree’s data model for advanced product optioning. A product has many variants. Each variant has and belongs to many option values. A product also has many options, which define …
ecommerce piggybak rails
Lazy AJAX
By Jeff Boes
December 18, 2012
Don’t do this, at least not without a good reason. It’s not the way to design AJAX interfaces from scratch, but it serves well in a pinch, where you have an existing CGI-based page and you don’t want to spend a lot of time rewriting it.
I was in a hurry, and the page involved was a seldom-used administration page. I was attempting to convert it into an AJAX-enabled setup, wherein the page would stand still, but various parts of it could be updated with form controls, each of which would fire off an AJAX request, and use the data returned to update the page.
However, one part of it just wasn’t amenable to this approach, or at least not quick-and-dirty. This part had a relatively large amount of inline interpolated (Interchange) data (if you don’t know what Interchange is, you can substitute “PHP” in that last sentence and you’ll be close enough.) I wanted to run the page back through the server-side processing, but only cared about (and would discard all but) one element of the page.
My lazy-programmer’s approach was to submit the page itself as an AJAX request:
$.ajax({
url: '/@_MV_PAGE_@',
data: { …interchange javascript jquery
tmux and SecureCRT settings
By Ron Phipps
December 14, 2012
Richard gave me a call today to show the wonders of tmux. I am using Windows, and unfortunately, right off the bat I couldn’t see color and there were a bunch of accented as dividing the panes.
After some trial and error and finding this post on the subject we got it working. The key is to configure SecureCRT to use xterm + ANSI colors and set the character set to UTF-8 and “Use Unicode line drawing code points”.
Hooray! I’ll be trying out tmux in day-to-day use to see if it will replace or augment screen for me.
terminal
Update Your GNU Screen Config on the Fly
By Greg Davidson
December 14, 2012
An Indispensable Tool
I use Screen constantly in my work at End Point. It is an indispensable tool that I would not want to operate without. It’s so handy to resume where I left off after I’ve detached or when my connection drops unexpectedly. This is likely preaching to the choir but if you are not already using Screen and/or tmux, start now.
The Scenario
I often find myself in the following situation:
- SSH into a server
- Fire up a new Screen session
- Create several windows for editing files, tailing logs, etc.
- Realize the default Screen configuration is inadequate or does not exist.
- Facepalm \O/
While my needs are fairly minimal, I do like to bump up the scrollback buffer and display the list of windows in the status line.
There are a couple of options at this point. I could put up with the default / non-existent configuration or create a config file and manually re-create the session and all of the windows to pick up the configuration changes. Neither of these options was desirable.
I wanted to be able to update the configuration and have all of the existing windows pick up the changes. After asking around a little I ended up taking a look at the manual and discovered the …
terminal tips